Drupal Security Announcement, PSA-2016-003

On October 11th, there was a Public Service Announcement (PSA) from the Drupal.org Security Team. This PSA was intended to alert everyone managing a Drupal 7 or Drupal 8 website that Spammers had been found uploading files to Drupal websites and then linking too these files from other websites as a method of gaining an artificial SEO “boost”.

Agileware have audited all the Drupal websites that Agileware support and adjusted the Drupal website configuration, where needed to prevent this issue from occurring. You will have seen an activity entry in the Drupal Support, Activity Report which corresponds to this work.

However, it is important to understand the two features that Spammers are taking advantage of, these are:

Files uploaded to Drupal, when stored in a File field using the “Public” storage method will be available to anyone on the Internet via a known URL. Spammers are then linking to the URL of the uploaded file.

Even if validation fails for the Form containing the field and the uploaded file is a “temporary file”. The uploaded file will still remain on the website for up to 6 hours by default. After which time, Drupal will automatically delete the “temporary file”.

Unfortunately, this gives Spammers a 6 hour window with which to receive the artificial SEO “boost”. It is also an opportunity for Google to discover this URL, detect the Spam and flag your website as being “hacked”. This is far from great, because a security warning will appear in Google search results whenever your website is listed and even when someone visits your website (using a Google Chrome Browser). Potential for serious damage to your organisations brand, trust and reputation.

To avoid this situation for your website:

When using a Webform on the website and need to allow uploading files (using File field)

Ensure that the “Private” storage method is selected for the File field

This will prevent Spammers from being able to publicly link to the URL for the uploaded file, even if the form fails input validation.

The above rule also applies for any other Form which you may be using on Drupal for receiving public, unauthenticated content.

Longer term, Drupal needs to include a change reducing the default 6 hour time period, which triggers the temporary files to be removed. 15 minutes or 1 hour should be sufficient. Or this option should be configurable on a per website basis. Ultimately, Drupal’s entire handling of temporary files (as in this case) needs to be improved. It is reasonable to expect that temporary files should not be accessible at all via a public URL for any period of time. Update 1st November: a new issue has been created to address the temporary file issue in Drupal 7 and 8 see https://www.drupal.org/node/2817427